Re: Unusual pattern of compromised accounts

["Pollock, Joseph" <PollockJ () EVERGREEN EDU>]

They appear to have the current passwords.  The problems all happened the same evening.

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of 
Haselhoff, Brent
Sent: Friday, January 26, 2018 1:21 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Unusual pattern of compromised accounts

Were the employee's passwords reset, or did they get in using the current passwords?

Brent Haselhoff
Manager, IT Security and Identity Management
brent.haselhoff () wku edu<mailto:brent.haselhoff () wku edu>
270-745-2012

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Pollock, 
Joseph
Sent: Friday, January 26, 2018 3:17 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Unusual pattern of compromised accounts

Has anyone observed the following:


1.        A cluster of compromised accounts with no indication of a common factor such as clicking on a phishing link. 
Users have no idea how the compromise occurred.

2.       The culprits change the user's direct deposit authorization

3.       They may have been familiar with the Banner system.

4.       No other activity was observed.

We are looking for other indications,  such as compromised desktops,  but have found nothing as yet.

Please reply outside the list if you wish.

Joe Pollock
Network Services
The Evergreen State College